5.6.2 SSL-VPN option „same as client system DNS“, why did they do this? Windows security issue

  • 1.  5.6.2 SSL-VPN option „same as client system DNS“, why did they do this? Windows security issue

    Posted Sep 05, 2017 10:01 AM


    We are rolling out some SSL-VPN (tunnel mode) for remote admin purposes and are using 5.6.2.

    The goal of our VPN Setups has always been:

    • no split-tunnel
    • all traffic after tunnel is established must go through VPN

    Now with 5.6.2 this has been an unpleasant journey, first the default setting is something called „same as client system DNS“.

    I really would like to understand why Fortinet has done this.

    The description on this topic is bad, the KB article that they wrote after my case is bad. There is no use case description and discussion.

    What we found out in our environment:

    - under windows, it adds the DNS Server that our clients have, e.g. a private IP 192.168.x.x to the SSL-VPN entry and heavens forbid, all DNS queries even when the tunnel is established go out to that local DNS IP!!!

    - under iOS, it adds the private IP DNS Server to the config and all DNS queries are forwarded to the Fortigate which will absolutely not do anything reasonable with it ;) 


    Now you think it would be that easy:



    • For all SSL-VPN tunnel mode connections use a Fortigate DNS IP
    • Oh yes, I want to enable DNS Filtering on those requests ;)

    That was the standard concept, but:

    Fortigate does not support this. It won‘t do as what most solutions allow, assign the gateway of the SSL VPN also as the DNS Proxy.

    The workaround that we are using I really despise / I don‘t like to use an IP that is unrelated to the SSL VPN config to be used:

    1) configure DNS to be forwarded from any interface that you like, in our case internal/lan to System DNS

    2) configure SSL VPN options to specify DNS the internal/lan Fortigate Interface IP

    3) don‘t forget to add an IPv4 policy to allow this DNS traffic !!!

    4) and in our case we want to block any other DNS traffic, so another policy


    The solution that I would have preferred would have been:

    - SSL VPN option „same as SSL VPN gateway“ for DNS

    - DNS configuration option to forward to System DNS

    no policy needed, as this is implicit that you would like to have this DNS to be working, maybe some local in policy to block if someone really does not want to have any DNS.


    Maybe someone from Fortinet can bring some clarity into what you actually want to do with your SSL VPN tunnel mode and then we understand how to use the product. Especially make up your mind if you really want DNS to behave differently for Windows/iOS.